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(54) TiUe: APPARATUS AND METHOD FOR STORING DATA 
(57) Abstract 

A method and an apparatus for storing data comprising an original identity 
(OID) and associated descriptive information (DI) arc disclosed. By means of 
a first algorithm (ALGl), the original identity (OID) is cnciyptcd to an update 
identity (UID) which, by means of a reversible algorithm (ALG2). is encrypted 
.0 a storage identity (SID) which is stored as a record (P) on a storage medium 
along with associated descriptive information (DI). At the times when the storage 
identities (SID) of selected records (P) are to be replaced with new storage 
identities (SID'), the storage identities (SID) arc decrypted in order to recreate 
the corresponding update idcniiiics (UID), which then arc encrypted, by means of 
a new and altered reversible algorithm (A1jG2'). to new storage identities (SID*) 
intended to replace the previous storage identities (SID). 
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APPARATUS AND METHOD FOR STORING DATA 

This invention relates to an apparatus and a method 
for storing data, more specifically data comprising iden- 
tifying information, such as personal code numbers, as 
well as associated descriptive information. 
5 In computer-aided information management, it is 

imperative that the individual's personal integrity be 
protected against violation when setting up and keeping 
personal registers, i.e. registers containing information 
on individuals. Also in industry, banking and defence, as 

10 well as many other sectors where computer-aided 

information management is used, it is essential that 
stored data be protected against unauthorised access. In 
particular, there are regulations restricting or 
prohibiting the linking and matching of personal reg- 

15 isters, since this often results in one or more new per- 
sonal registers containing sensitive information that can 
be directly linked to individuals. 

There is, however, a great need of being able to 
link and match different personal registers without pos- 

20 ing a threat to the personal integrity of the individual. 
Within this technical field, there are different 
cryptographic storage methods in which, for security rea- 
sons, the information to be stored is first encrypted and 
then stored on a storage medium. However, these prior-art 

25 encryptinig methods are often sensitive to tracking, since 
"every registration in or update of a database involves an 
alteration which, by means of tracking tools, can be 
linked to the corresponding non-encrypted original infor- 
mation bearing a one-to-one relation to the encrypted 

30 information. After, a number of trackings, all the 

encrypted information can be converted to plain text; 

This invention aims at solving the above problem of 
the prior art and to this end provides an apparatus as 
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set forth in appended claim 1, as well as a method as set 
forth in appended claim 7. 

According to the invention, the information to be 
stored comprises an original identity OID and associated 
5 descriptive information DI. Examples of the original 

identity are personal code number, drawing number, docu- 
ment identity, and registration number for vehicles. The 
associated descriptive information is such information as 
does not reveal the original identity, i.e. that cannot 

10 be linked directly thereto. A distinctive feature of the 
invention is that the original identity OID is completely 
separated from the descriptive information DI, which is 
achieved by initially having the original identity OID 
undergo a first encryption by means of a first algorithm 

15 ALGl, resulting in an update identity UID. Then, the 
update identity UID undergoes a second encryption by 
means of a reversible algorithm ALG2, resulting in a 
storage identity SID. The thus -created storage identity 
SID is, along with associated descriptive information DI, 

20 stored as a record on a storage medium. Thus, the origi- 
nal identity is completely separated from the associated 
descriptive information. If the original identity con- 
sists of a personal code number or the like, the result- 
ing records may be regarded as pure information records 

25 in contrast to personal records. 

In order to prevent the descriptive information DI 
from ever being relinked to the original identity OID, 
the first algorithm ALGl preferably is a non-reversible 
algorithm, i.e. an algorithm giving each original iden- 

30 tity a unique update identity and providing a great num- 
ber of identities when decrypting efforts are made. 

Furthermore, the invention is distinguished by the 
fact that the original identity OID is encrypted in two 
separate steps when generating the storage identity SID, 

35 and that the second encrypting step is performed by means 
of a reversible algorithm ALG2. These distinctive fea- 
tures of the invention enable the creation of "floating" 



wo 95/15628 PCT/SE94/00882 



3 

storage identities of the records in order to prevent all 
unauthorised tracking. According to the invention, the 
storage identities SID of selected records, preferably 
all the records, stored on the storage medium are, at 
5 certain times, replaced with new storage identities SID'. 
As a result, the information obtained by tracking, if 
any, is perfectly useless as soon as the storage identi- 
ties according to the invention have been replaced with 
new ones. The storage identities SID of the stored 

10 records are, according to the invention, altered by first 
decrypting the storage identities SID of the selected 
records by means of a third algorithm ALG3, recreating 
the corresponding update identities UID. It will be 
appreciated that the third algorithm ALG3 for decryption 

15 is directly related to the reversible algorithm ALG2 
which, at a previous time, was used for creating the 
storage identities SID from the update identities UID. 
Then, the reversible algorithm ALG2 is altered to a new 
reversible algorithm ALG2 ' , whereupon the recreated 

20 update identities UID are encrypted to new storage iden- 
tities SID' by means of the altered, new reversible algo- 
rithm ALG2 ' • 

The times when the storage identities are replaced 
with new ones may be controlled completely at random, 
25 occur at set intervals, depend on the nximber of updates, 
and so forth. 

In a preferred embodiment of the invention, the 
selected records are, when given new storage identities, 
also moved to new physical locations on the storage 
30 medium. In combination with "floating" storage identi- 
ties, this effectively prevents all attempts at unauthor- 
ised tracking. 

The invention .enables efficient retrieval of stored 
data for operative as well as strategic purposes, as well 
35 as so-called longitudinal update of strategic data. 

When retrieving data for operative purposes, the 
descriptive information stored for a given original iden- 
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tity is retrieved for reading, update, alteration, print- 
out, and so forth. According to the invention, this is 
possible by first encrypting such a given original iden- 
tity to a storage identity in two steps by means of the 
5 above two algorithms. All stored records containing the 
thus-obtained storage identity can be expediently located 
and the corresponding descriptive information be retriev- 
ed. In particular, such retrieval of operative data asso- 
ciated with a given original identity does not require 

10 any decryption of the corresponding storage identity, nor 
any storage of the given original identity, which pre- 
vents all unwanted linking between the original identity 
and the associated descriptive information. 

In order to retrieve data for strategic purposes, 

15 the storage identity can be put to effective use when 

putting together data that have the same storage identi- 
ty. Retrieving data for strategic purposes differs from 
retrieving data for operative purposes in that one does 
not wish or need to know to which original identity a 

20 certain item of descriptive information belongs, but 
one nevertheless has to be absolutely certain that all 
the descriptive information retrieved belongs to the same 
original identity. Obviously, this is of great importance 
when, and this is a case of particular interest, the ori- 

25 ginal identity corresponds to a specific individual, 

since the invention makes it possible to put together, 
for strategic purposes, descriptive information relating 
to different individuals, without any risk of their iden- 
tities being revealed. It is to be understood that the 

30 invention enables so-called longitudinal update of stra- 
tegic information, which among other things means that a 
given individual is observed for some time and that, at 
different times, new descriptive information is stored in 
such a manner that it can be linked to information pre- 

35 viously stored for the same individual, without there 
being any risk of revealing the identity of the indivi- 
dual . 
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It should be emphasised that the storage of new 
descriptive information associated with a certain origi- 
nal identity does not necessarily require the creation 
of a new record containing the storage identity and the 
5 descriptive information. The new descriptive information 
may instead be stored in an existing record whose storage 
identity corresponds to the original identity at issue. 

These and other distinctive features, properties and 
advantages of the invention are stated in the appended 
10 claims and also appear from the following description of 
one mode of implementation of the invention. In the draw- 
ings. 

Fig. 1 is a block diagram illustrating how the 
invention can be implemented in a computer system, 
15 Fig. 2 illustrates different encrypting steps used 

when storing information in accordance with the inven- 
tion, and 

Fig. 3 illustrates encrypting and decrypting steps 
used when altering the storage identities in accordance 
20 with the invention. 

Reference is now made to Fig. 1, which illustrates 
a computer system comprising an authorisation check sys- 
tem ACS, which may be of any known type; a number of user 
tools or applications, of which one is designated APPL 1; 
25 a database manager DBM; a database 10, which here 

includes a public register 20 for storing public informa- 
tion, an operative register 30 for storing operative 
data, and a strategic register 40 for storing strategic 
data; a hardware component 50; and a program module 60. 
30 The invention is chiefly implemented in the hardware com- 
ponent 50 and the program module 60. 

The hardware component 50 has an encapsulation that 
renders it tamper-proof in order to prevent monitoring by 
tracking tools or compilation. The hardware component 50 
-35 acts as a distributed processor, which in particular has 
the functions of 
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- creating reversible and non-reversible encrypting algo- 
rithms, 

- supplying randomly-produced variables for encrypting 
and decrypting algorithms, 

5 - initiating, e.g. at times chosen at random, an altera- 
tion of the storage identities of stored records, 

- storing the encrypting and decrypting algorithms last 
used, 

" storing information on user authorisations, if several 
10 users are to be authorised to have access to an opera- 
tive record, and 

- linking an original identity (e.g. a personal code num- 
ber) to the right record in a database. 

15 Thus, the hardware component 50 may comprise a 

microprocessor, a microcode-programmed PROM storage, 
required I/O units, encrypting and decrypting units, 
and storage units for storing information on the algo- 
rithms employed as well as the user authorisations. The 

20 construction of the hardware component 50 may vary with 
different applications and is easily implemented by those 
skilled in the art with the aid of the present descrip- 
tion, for which reason the construction of this component 
will not be described in more detail here. 

25 The program module 60 primarily serves to handle the 

dialogue between the hardware component 50 and the user 
application at issue. The program module 60 also handles 
the dialogue between the hardware component 50 and the 
authorisation check system ACS, and the sorting out or 

30 removal of stored data, events log, and so forth. The 

program module 60 may also transfer records from opera- 
tive registers to strategic registers when records are 
being sorted out from the former. 

In the following description of the system of 

35 Fig. 1, the designations given below will be used for 
describing the encrypting and decrypting algorithms 
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employed. Generally speaking, the encrypting and decrypt- 
ing algorithms can be described as follows: 

Fxyped^andom number. Input data) ■ Results 

5 wherein 

F designates a function, 

indicates the type of function. (In this 
embodiment, the following types are used: 
^0 Fkir » Non-reversible encrypting algorithm 

Fkr » Reversible encrypting algorithm 
^DKR = Decrypting algorithm), 



Random number represents one or more constants and/or 
15 variables included in the function F, 

Input data are the data to be encrypted or decrypted, 
and 

Results indicate a unique function value for 

a given function. 

20 

The process for storing information in the database 
10 will now be described with reference to Figs 1 and 2 
in conjunction. It is a condition that the information to 
be stored can be divided into identifying information and 
25 associated descriptive information. The following infor- 
mation on a specific individual is given as an example. 



INFORMATION TO BE STORED 


IDENTIFYING 
INFORMATION 


DESCRIPTIVE 
INFORMATION 


PERSONAL CODE NUMBER 
(PCN) 


NAME 


ADDRESS 


DI 



In the first step of the process, the information 
30 is divided into identifying information and descriptive 
information. 
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In a second step (illustrated in Fig. 2), the iden- 
tifying information (PCN, NAME, ADDRESS) is stored in the 
public register 20, optionally in the form of plain text, 
since this information is of the type that is generally 
5 accessible. 

In a third step, an original identity OID is select- 
ed from the identifying information. In this example, 
OID o personal code number PCN. The original identity OID 
is encrypted by means of a non- reversible algorithm ALGl, 
10 which is produced at random by the hardware component 50. 
This non-reversible encryption results in an update iden- 
tity UID as follows: 

ALGl: Fkir( Random number, OID) = UID 

15 

The encrypting algorithm ALGl is such that attempts 
at decryption of the update identity UID to the original 
identity OID results in a great number of identities, 
which makes it impossible to link a specific UID to the 
20 corresponding OID. 

In a fourth step, the update identity UID is 
encrypted by means of a reversible algorithm ALG2, which 
also is produced at random by the hardware component 50. 
This reversible encryption results in a storage identity 
25 SID as follows: 

ALG2: Fkr( Random number, UID) « SID 

The encrypting algorithm ALG2 is such that there 
30 exists a corresponding decrypting algorithm ALG3 by means 
of which the storage identity SID can be decrypted in 
order to recreate the update identity UID. 

In a fifth step, the obtained storage identity SID 
is stored along with the descriptive information DI as an 
35 information record P on the storage medium, which is 

designated M in Fig. 2. In this example, the record P is 
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stored in the operative database 30 as well as in the 
strategic database 40. 

Preferably, all alterations in the databases are 
performed in randomly time-controlled batches, such that 
5 every alteration in one register normally involves simul- 
taneous alteration or addition of a plurality of records, 
which is intended to prevent tracking. To this end, data 
can be stored temporarily in a buffer store, optionally 
in encrypted form. 
^0 As appears from the foregoing, a stored infonnation 

record P has the following general appearance: 



Storage identity (SID) 



Descriptive information ( DI ) 



Since the original identity OID is encrypted in two 

15 steps, of which the first is non- reversible and the 
second is reversible, it is possible to store the 
descriptive information DI along with a storage identity 
SID that never can be linked to the original identity 
OID, as well as to create "floating" (i.e. which change 

20 over time) storage identities SID while retaining the 

possibility of locating, for. a specific original identity 
OID, the associated descriptive information DI stored. 

The process for creating "floating" storage identi- 
ties will now be described in more detail with reference 

25 to Fig. 3. 

As mentioned above, the storage identities SID are 
changed over time in order to prevent, or at least make 
much more difficult, all attempts at tracking, i.e. 
unauthorised attempts at locating, when a register is 

30 updated, where and in which form given original informa- 
tion is stored on the storage medium. 

The times when the storage identities SID are to be 
replaced with new storage identities SID' can be control- 
led at random by the hardware component 50. Alternative- 

35 ly, these times can be controlled by other factors, such 
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as the number of alterations in or updates of the data- 
base. 

At every time, one decrypts the storage identities 
SID of all the records P whose storage identities are to 
5 "float" or be altered. The hardware component 50 has an 
internal storage, in which is stored information on the 
reversible algorithm ALG2 last used, which makes it pos- 
sible, at each time, to produce in the hardware component 
50 a corresponding decrypting algorithm. ALG3, by means of 
10 which the storage identities SID can be decrypted in 
order to recreate the corresponding update identities 
UID. 

ALG3: FnKR( Random number, SID) « UID 

15 

Thus, the following relationship applies: 

^DKr( Random number, F^rC Random number, UID)) = 

UID 

20 

Thereafter, the hardware component 50 produces, by 
means of new random numbers ( Random numbers ' ) a new and 
altered reversible algorithm ALG2 ' , by means of which the 
recreated update identities UID are reversibly encrypted 
25 to new and altered storage identifies SID' to be stored 
along with the associated descriptive information in .the 
selected records. 

ALG2': Fkr( Random number', UID) = SID' 

30 

As described in the foregoing in connection with 
general storage of information, the alteration of the 
storage identities on the storage medium preferably 
takes place in a batch. 
35 When the storage identities SID of the records P 

are thus to be replaced with the new storage identities 
(SID'), one may, as a further matter of precaution, move 
the records P to new physical locations on the storage 
medium . 
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In a preferred embodiment of the invention, such an 
alteration of the storage identities is produced every 
time the content of the databases is to be altered or 
updated . 

5 Operative data is retrieved from the operative reg- 

ister 30 in Fig. 1 in the following manner. To begin 
with, the user inputs the current original identity OID, 
i.e. PCN, to the program application APPL 1 along with a 
statement concerning the requested information. APPL 1 

10 stores the PCN and the statement on the requested infor- 
mation, i.e. the statement on the register or database 
where the information is to be searched for, and then 
transmits the PCN and the database statement to the data- 
base manager DBM which is to retrieve the requested 

15 information. The database manager notes that the records 
of the current database are protected by the inventive 
system, and therefore transmits the PCN along with the 
database name to the program module 60 and the hardware 
component 50. The database name indicated is used for 

20 producing, from tabular information stored in the hard- 
ware component 50, correct algorithms ALGl and ALG2 by 
means of which the PCN is converted via the update iden- 
tity UID to the storage identity SID. The thus-produced 
storage identity SID is transmitted to the database man- 

25 ager DBM, which then searches in the database at issue 

(here the operative register 30) for descriptive informa- 
tion DI whose storage identities correspond to the stor- 
age identity SID produced. The database manager DBM 
returns the descriptive information DI to the application 

30 APPL 1, which links the thus-produced descriptive infor- 
mation DI to the personal code number PCN. It should here 
be emphasised that the personal code number is stored in 
APPL 1 only, i.e. in the working storage of the computer, 
and the identity of the individual thus remains perfectly 

35 safe. 

Data are retrieved from the strategic database 40 
without resorting to the use of any original identity 
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OID. The search is based directly on the descriptive 
information, and since descriptive information associated 
with one and the same individual is stored along with the 
same storage identity SID, all descriptive information 
5 associated with a single individual is easily put toget- 
her without in any way threatening the anonymity of the 
individual . 

Different encrypting algorithms can be used in the 
operative register 30 and the strategic register 40. How- 
10 ever, the non-reversible algorithm ALGl may be the same. 
Furthermore, it will be appreciated that the tabular 
algorithm information stored in the hardware component 
50 may comprise many more registers than are shown in 
Fig. 1. 

15 The inventive embodiment described above can be 

modified in many ways within the scope of the invention 
as defined in the appended claims. The term "encryption" 
is meant to encompass the term "hashing" throughout. 

In one modification of the inventive method that is 

20 of particular interest, each information record P in the 
operative- database 30 is supplemented with a user iden- 
tity UI as follows. 



Storage 


User 


Descriptive 


identity 


identity 


information 


(SID) 


(UI) 


(DI) 



25 Thus, it becomes possible to link records to individual 
users in the operative database. When a user attempts at 
retrieving the information in a record, it is checked 
whether he is authorised to have access to the record in 
question. In particular, it becomes possible for differ- 

30 ent users to store descriptive information about one and 
the same individual without enabling unauthorised users 
to. gain access to the information stored. The user iden- 
tity UI in stored records can be changed without affect- 
ing the storage identity SID or the descriptive informa- 

35 tion DI. If a user is to have access to records contain- 
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ing other user identities UI than his own, the hardware 
component 50 can be supplemented with a table containing 
stored information that controls such authorisation. 

Another conceivable modification of the embodiment 
described provides the possibility of using a reversible 
algorithm in the first encrypting step ALGl, which does 
not, however, involve the same degree of security as the 
use of a non-reversible algorithm. 

Finally, it should be mentioned that, if need be, 
also the descriptive information can be encrypted before 
storage by means of a reversible algorithm in order to 
enhance secxirity even further. 
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CLAIMS 

1, An apparatus for storing data comprising an ori- 
5 ginal identity (OID) and associated descriptive informa- 
tion (DI), characterised by 

a first encrypting means (50) which is arranged, by 
means of a first algorithm (ALGl), to encrypt the origi- 
nal identity (OID) to an update identity (UID), 

10 a second encrypting means (50) which is arranged, by 

means of a reversible algorithm (AIiG2), to encrypt the 
update identity (UID) to a storage identity (SID), which 
is to be stored along with associated descriptive infor- 
mation (DI) as a record (P) on a storage medium (30, 40)., 

15 and 

a decrypting means (50) which is arranged, at times 
when the storage identities (SID) of selected stored 
records (P) are to be replaced with new storaige identi- 
ties (SID'), to decrypt these storage identities (SID) 
20 in order to recreate the corresponding update identities 
(UID), 

the second encrypting means (50) being arranged, at 
said times and by means of an altered reversible algo- 
rithm ( ALG2 ' ) , to encrypt the recreated update identities 
25 (UID) to new storage identities (SID'), which are to 
replace the previous storage identities (SID). 

2, An apparatus as set forth in claim 1, char- 
acterised by a means arranged to randomly estab- 
lish said times when the storage identities (SID) of the 

30 selected records (P) are to be replaced with new storage 
identities (SID' ). * 

3. An apparatus as set forth in any one of the pre- 
ceding claims, characterised by the first 
algorithm (ALGl) for creating the update identity (UID) 

35 being a non-reversible algorithm. 

4. An apparatus as set forth in any one of the pre- 
ceding claims, characterised by the first 
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and the second encrypting means and the decrypting means 
being implemented as a hardware component ( 50 ) . 

5. An apparatus as set forth in claim 4, char- 
acterised by the hardware component (50) compris- 

5 ing a- processor of its own, which is adapted to act as a 
distributed processor in a computer. 

6. An apparatus as set forth in claim 4 or 5, 
characterised by the hardware component (50) 
being adapted to create variable algorithms and compris- 

10 ing a means for storing the algorithms last created. 

7. A method for storing data comprising an original 
identity (OID) and associated descriptive information 
(DI), characterised by the steps of 

encrypting the original identity (OID) to an update 
15 identity (UID) by means of a first algorithm (ALGl), 

encrypting the update identity (UID) to a storage 
identity (SID) by means of a reversible algorithm (ALG2), 

storing the storage identity (SID) and the descrip- 
tive information (DI) as a record (P) on a storage medium 
20 (30, 40), and 

performing the following subsiteps at times when the 
storage identities (SID) of selected stored records (P) 
are to be replaced with new storage identities (SID'): 

- decrypting the storage identities (SID) of the selected 
25 records (P) in order to recreate the corresponding 

update identities (UID), 

- altering the reversible algorithm (ALG2) and encrypt- 
ing, by means of the altered reversible algorithm 
(ALG2*), the recreated update identities (UID) to new 

30 storage identities (SID'), and 

- replacing the storage identities (SID) of the selected 
records (P) with the new storage identities (SID'). 

8. A method as set forth in claim 7, charac- 
terised by the step of selecting, as said selected 

35 records (P), all the records (P) stored on the storage 
medium (30, 40). 
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9. A method as set forth in claim 7 or 8, char- 
acterised in that the step of replacing the stor- 
age identities (SID) of the selected records (P) with the 
new storage identities (SIDM is carried out in a batch, 

5 so that the storage identities (SID) of the selected 

records (P) are altered essentially simultaneously on the 
storage medium (30, 40). 

10. A method as set forth in any one of claims 7-9, 
characterised in that the step of replacing 

10 the storage identities (SID) of the selected records (P) 
with new storage identities (SID') also comprises moving 
the selected records (P) to new physical locations on the 
storage medium (30, 40). 

11. A method as set forth in any one of claims 7-10, 
15 characterised by the step of encrypting also 

the descriptive information ( DI ) before this is stored on 
the storage medium in the respective records (P). 
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